Reputation: 4548
Struts2 Freemarker XSS Vulnerability
In my application we use the struts URL tag in our freemarker templates like this:
<s.url action="struts-action-name"/>
The issue is that instead of appending the action url to the root url of the application it actually appends it to the current URL.
Say we hit www.example.com/community/examples/xss187ba"><ScRiPt>alert(1)</ScRiPt>506d1768713/career_development, and in the ftl for that page we have a form like this:
<form action="<s.url action="struts-action-name"/>">
The rendered ftl would look like this:
<form action="/community/examples/xss187ba"><ScRiPt>alert(1)</ScRiPt>506d1768713/career_development">
Which causes an alert to popup... has anyone dealt with this issue? Is this a bug in Struts or are we doing something wrong here?
The obvious fix is to use the URL tag like this:
<form action="<s.url value="/struts-action-name.jspa"/>">
On the other hand a quick search shows 2500 uses of that tag in the project and refactoring all those would not be a very fun/efficient job :(
Any help, comments or suggestions would be highly appreciated.
-Andre
Upvotes: 1
Views: 1147
Answers (3)
Reputation: 160261
The url tag doesn't "append" to anything--it creates a URL relative to the application, in this case based on a configured action name. Assuming an action named "f1" and a root deployment the only thing the tag would produce is an absolute URL /f1.action (or `/f1' with no extension).
Given:
<struts>
<constant name="struts.devMode" value="true"/>
<constant name="struts.action.extension" value=",,action"/>
<package name="default" namespace="/" extends="struts-default">
<action name="f1" class="radios.RadioAction" method="input">
<result name="input" type="freemarker">/WEB-INF/radios/input.ftl</result>
</action>
...
The FreeMarker fragment:
<@s.url action="f1"/>
will output:
/f1
You may need to provide more info: are you using specific plugins (like Convention), etc?
Upvotes: 1
Reputation: 4416
I do find it weird that it does not automatically url-encode those parts of the URL, as that's what I would expect it to do. So I would consider this a bug. Maybe contact the Struts developers about this one. Most of their other tags do automatic encoding, so it's weird that this one doesn't.
Upvotes: 0
Reputation: 10730
You could extend org.apache.struts2.views.jsp.URLTag and replace the exiting or add a new tag in struts-tags.tld.
Upvotes: 0
Related Questions
- What kind of vulnerabilities the web application will face if it is not upgraded to Struts 2.3.16.1?
- how to remediate struts vulnerabilities
- XSS vulnerabilities <c:out> tags in JSP pages
- freemarker and struts2 tags
- Does the Struts tags prevents XSS
- Struts XSS Prevention - Prevent a GET XSS
- struts2 and freemarker template
- XSS attacks in jsp
- Prevent XSS attempts on a Tomcat/Struts 1 web application (without source code)
- How to prevent XSS vulnerability with Struts